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Toward  a  Unified  Logical  Basis  for  Programming  Languages 


Chih-sung  Tang 

(Department  of  Computer  Science,  Stanford  University) 
(Institute  of  Computing  Technology,  Academia  Sinica) 


It  is  reasonable  to  hope  that  the  relationship  between  computation  and  mathematical  logic 
will  be  as  fruitful  in  the  next  century  as  that  between  analysis  and  physics  in  the  last. 
The  development  of  this  relationship  demands  a  concern  for  both  applications  and  for 
mathematical  elegance. 


John  McCarthy  [11] 


l\^weword. 

In  recent  years,  more  and  more  computer  scientists  have  been  paying  attention  to  temporal  logic,  since 
there  are  many  properties  of  programs  that  can  be  described  only  by  bringing  the  time  parameter  into 
consideration.  But  existing  temporal  logic  languages,  such  as  Lucid,  in  spite  of  their  mathematical  elegance, 
are  still  far  from  practical.  I  believe  that  a  practical  temporal-logic  language,  once  it  came  into  being,  would 
have  a  wide  spectrum  of  applications. 

XYZ/E  is  a  temporal- logic  language.  Like  other  logic  languages,  it  is  a  logic  system  as  well  as  a 
programming  language.  But  unlike  them,  it  can  express  all  conventional  data  structures  and  control 
structures,  nondeterminate  or  concurrent  programs,  even  programs  with  branching-time  order.  We  find  that 
the  difficulties  met  in  other  logic  languages  often  stem  from  the  fact  that  they  try  to  deal  with  these  structures 
in  a  higher  level.  XYZ/E  adopts  another  approach.  We  divide  the  language  into  two  forms:  the  internal  form 
and  the  external  form.  The  former  is  lower  level,  while  the  latter  is  higher.  Just  as  any  logic  system  contains 
rules  of  abbreviation,  so  also  in  XYZ/E  there  are  rules  of  abbreviation  to  transform  the  internal  form  into 
the  external  form,  and  vice  versa.  These  two  forms  can  be  considered  to  be  different  representations  of  the 
same  thing.  We  find  that  this  approach  can  ameliorate  many  problems  of  formalisation.  — — f 

XYZ/E,  like  other  temporal- logic  languages,  treats  variables  as  temporal  object,  t.e.  it  looks  upon  them 
as  potentially  infinite  vectors,  each  component  of  them  corresponding  to  a  time.  Elephant[12]  expresses  a 
variable  v  as  u(t)  with  the  time  parameter  f  explicitly  indicated.  But  since  this  method  of  expression  must 
make  use  of  second-order  logic  to  express  assertions  of  a  program;  it  seems  too  strong.  Another  approach 
is  to  represent  the  value  of  v  as  Apply(v,t).  It  is  now  within  first-order  theory.  However  we  choose  a  third 
approach,  the  modal-logic  approach,  and  we  express  Apply(u,  t)  as  #u  and  App!y(v,t  -f-  1)  as  o#v.  Here, 
“o"  is  an  operator  meaning  next  time.  The  Bymbol  v  is  only  a  name  and  has  no  value;  only  # v  or  o#v  has 
a  value  [13]. 

With  this  convention,  the  statement  expressed  conventionally  as  "v  «—  v  -f-  1"  is  expressed  by  “o#t>  = 
#v+ 1.”  Control  flow  can  be  handled  similarly;  thus,  the  statement  goto  x  is  expressed  in  XYZ/E  by  o#lb  = 
z,  where  lb  is  a  special  variable  in  the  language  used  to  indicate  labels  in  control  flow.  The  proposition  that 
we  are  at  label  z  in  a  program  can  be  expressed  by  the  equation  #lb  =  z.  These  are  the  basic  steps  in 
expressing  the  statements  of  a  conventional  language  as  logical  formula  in  XYZ/E.  yS 

This  research  was  supported  in  part  by  the  Office  of  Naval  Research  under  contract  N00014-76-C-0687  and 
in  part  by  the  Air  Force  Office  of  Scientific  Research  under  contract  AFOSR-81-0014. 
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In  fact,  the  logical  structures  in  both  data  and  statements  are  identical;  arrays  correspond  to  loops, 
records  to  compound  statements,  pointers  to  goto  statements,  etc.  Starting  with  a  few  basic  lower-level 
items,  we  can  construct  complicated  data  and  control  structures  with  the  same  logical  mechanism. 

To  make  this  possible,  we  create  a  new  naming  mechanism.  A  name  has  three  parts:  One  is  the  type 
symbol  which  represents  the  type  of  the  variable.  Since  XYZ/E  is  a  many-soited  logical  system,  this  part  is 
necessary,  but  it  can  be  omitted  in  abbreviation.  The  second  part  is  a  conventional  identifier.  The  third  is 
the  name  index  which  is  used  to  express  the  component  of  a  vector  or  a  record.  For  example,  Iabc-(S)-age 
represents  a  data  item  which  is  the  age  component  of  a  record  which  is  the  third  component  of  the  array 
abc.  This  data  item  is  of  type  integer,  which  is  expressed  by  type  symbol  I.  For  the  component  of  an  array 
or  loop,  we  can  use  a  name  scheme  instead  of  a  label,  e  g.  abc-(#Kabc),  where  #Kabc  is  an  integer  variable 
which  can  have  as  its  value  the  positive  integers  in  the  process  of  looping.  Thus  abc-(ftKabc)  can  produce 
different  labels  of  the  same  pattern. 

The  two  kinds  of  control  structures  have  not  been  clearly  distinguished  in  conventional  languages: 
the  local  control  structures,  which  are  the  control  of  information  flow  within  one  statement,  and  the  total 
control,  which  expresses  the  information  flow  among  modules  and  the  whole  program.  In  accordance  with  the 
differences  in  total  structures,  we  divide  the  language  into  three  layers:  the  flowchart  structure,  the  module 
structure,  and  the  nondeterminate  structure  (t.e.  Petri  net  structure).  Each  structure  is  an  extension  of  the 
previous  one,  but  with  more  data  types  and  control  forms.  The  whole  language  is  divided  into  XYZ/EO, 
XYZ/E1,  aud  XYZ/E2 

With  these  conventions,  XYZ/E  can  be  used  not  only  as  a  logic  system  to  express  the  assertions  and 
properties  of  the  programs,  but  also  as  a  practical  programming  language  which  can  express  any  algorithm 
expressible  by  conventional  languages. 

Thus,  XYZ/E  is  meaningful  not  only  in  program  verification  but  in  other  areas,  such  as  formal  seman¬ 
tics  In  my  opinion,  the  essence  of  programming  languages  and  systems  is  operational,  so  an  operational 
approach  to  formal  semantics  looks  more  natural;  however  systems  such  as  VDL  involve  details  which  be¬ 
come  voluminous;  while  the  denotational  approach,  such  as  the  Scott-Strachey  system,  is  more  elegant, 
their  treatment  of  the  higher-level  control  structure,  i.e.  continuation,  seems  unnatural  since  the  operational 
aspects  of  the  system  have  been  twisted.  But  in  XYZ/E  the  operational  characteristics  of  the  language 
are  concentrated  into  the  temporal  transition  of  the  time  parameter  and  all  the  rest  are  static.  As  a  logic 
system,  its  formal  semantics  can  be  as  easily  defined  denotationally  as  in  any  logic  system;  on  the  other 
hand,  it  is  an  assembly-like  language,  so  that  it  is  easy  to  construct  a  compiler-like  transformation  to  map 
the  semantics  of  higher-level  language  into  this  language.  The  formal  semantics  of  any  higher-level  language 
can  be  expressed  in  this  two-level  way.  Importantly,  the  formal  semantics  of  a  language  becomes  tightly 
connected  with  its  compiler.  Many  people  have  shown  a  strong  interest  in  using  the  compiler  as  the  formal 
semantics  of  a  higher-level  language.  They  have  failed  because  the  semantics  of  the  language  to  which  the 
compiler  is  to  map  is  not  easily  formalized.  But  XYZ/E,  as  a  logic  language  does  not  have  this  defect;  its 
own  semantics  can  be  easily  formalized  denotationally.  We  can  use  XYZ/E  to  describe  the  formal  semantics 
of  other  programming  systems.  There  is  yet  another  fact  often  neglected:  for  almost  all  formal  semantics 
methods,  using  their  symbolisms  to  describe  the  semantics  of  a  programming  system  is  a  hard  job.  Often,  it 
is  more  difficult  to  do  that  than  to  write  a  medium-size  compiler.  But  to  use  XYZ/E  to  describe  the  formal 
semantics  of  a  language  is  identical  to  writing  the  semantic  routines  for  its  compiler. 

With  certain  extensions,  XYZ/E  is  also  suitable  to  serve  as  an  abstract  specification  language.  It  can 
also  be  used  as  a  formal  means  of  describing  the  process  of  hierarchical  programming.  This  is  another  major 
application  of  XYZ/E,  which  we  discuss  in  [16]. 

XYZ/E  has  yet  other  applications.  It  can  be  used  as  a  portable  intermediate  language.  Since  it  can  be 
used  to  describe  the  semantics  of  compilable  languages  and  is  also  portable  to  different  machines,  it  has  the 
characteristics  of  an  ‘UNCOL’  in  some  restricted  sense.  Since  both  transformations  from  higher-level  lan¬ 
guages  to  XYZ/E  and  the  inverse  transformations  exist,  it  may  be  used  for  source- to- source  transformations 
[!)• 

Since  it  treats  data  structure  and  control  structure  in  a  similar  way,  this  language  can  remember  past 
history.  Its  application  to  data-base  management  systems  is  strongly  expected. 

T*  Not  only  does  XYZ/E  have  various  practical  applications,  it  also  has  a  theoretical  impacW.As  is  well 
known,  most  higher-level  programming  languages  can  be  roughly  divided  into  two  kinds:  applicative  and 
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algorithmic;  LISP  is  representative  of  the  first,  and  representatives  of  the  latter  include  Algol  60,  Fortran, 
etc.  It  has  been  widely  agreed  upon  that  X  calculus,  or  more  generally,  theory  of  computability,  is  the 
logic  foundation  of  applicative  languages;  but  what  theory  can  be  considered  as  the  logic  background  of 
algorithmic  languages?  No  satisfactory  answer  seems  to  exist  yet.  A  natural  conclusion  after  the  overview 
presented  above  is  that  most  probably,  temporal  logic  can  serve  this  Durpose.  The  external  form  of  XYZ/E 
can  be  considered  as  a  model,  and  its  internal  form  as  a  kind  of  intermediate  representation. 


3 


2.  XYZ/EO,  Internal  and  External  Form  of  The  Language. 

A  computer  system  consists  of  different  layers  of  an  abstract  machine.  Each  layer  has  its  super  control 
structure,  which  is  the  basic  framework  to  control  the  flow  of  information  within  that  layer.  The  most  basic 
super  control  structure  is  flowchart  structure.  XYZ/EO  is  a  language  which  uses  this  structure. 

The  following  are  the  features  of  XYZ/EO,  and  are  also  the  common  features  of  the  whole  XYZ/E 
family. 

(1)  Names: 

All  names  used  to  represent  the  entities  in  the  system  consists  of  three  parts  concatenated  consecutively: 
type  symbol,  name  root  and  index  part,  which  are  defined  as  follows: 

<name>  <type  symbolxname  rootxname  index> 

<type  symbol>  ::=  <data  type>  |  <labet> 

<data  type>  ::=  <basic  type>  |  structured  type> 
ebasic  type>  I  |  C  |  B  j  <extensible> 

Hereafter,  we  use  the  convention  <extensible>  to  mean  that  it  is  subject  to  possible  extension. 

structured  type>  ::=  V<data  type>  |  R{<data  type  sequences-} 

|  P<data  types  |  sxtensibles 

<data  type  sequences  ::=  <data  types  |  <data  type  sequences , <data  types 
<name  roots  <identifiers 

Here  identifier  is  used  in  the  conventional  sense,  but  the  letters  in  it  are  limited  to  small  Roman  letters. 

same  indexs  ::=  <emptys  |  same  indexs_<nodes 
sodes  ::=  <identifiers  |  cintegers  |  (<integers) 

<1 abe Is  : : *  L 

We  use  the  capital  letters  I,  C,  B,  V,  R,  P  to  represent  the  types  integer,  character,  boolean,  vector, 
record,  and  pointer  respectively  The  index  node  identifer  or  integer  is  used  to  denote  the  component  of  a 
record  or  a  compound  statement;  (cintegers)  is  used  to  denote  the  component  of  a  vector  or  a  loop. 
We  use  the  Greek  letters  "d,  a,  ir"  as  meta  symbols  to  represent  <type  symbols,  same  roots,  and 
same  indexs  respectively;  we  also  use  X  to  represent  air.  In  order  to  be  more  readable,  we  also  use  x,  y, 
z,  u,  v,  w  to  represent  any  name  if  its  type  symbol  is  not  L. 

Thus  VR{I,C,f}abc  means  that  abc  is  a  vector  whose  elements  are  of  the  type  record  R{I,C,J}  with  I, 
C,  /  as  the  types  of  its  three  subficlds.  Iabc-(3)-age  is  the  data  item  of  the  record  of  the  vector  o6c  which 
is  labeled  age. 

We  still  need  the  concept  of  name  scheme. 

same  schemes  <type  symbolssame  rootssame  sch  indexs 
same  sch  indexs  <emptys  |  same  sch  indexs_<identif iers 

|  same  sch  indexs_<integers  |  same  sch  i ndexs_( <counters) 
<counters  ::=  #K<identif iers  |  o<counters 

Every  counter  is  always  of  type  I.  If  x_y  is  a  name  scheme,  and  y  does  not  contain  symbol  we  say  that 
y  is  the  rightmost  or  last  node  of  x_y,  A  name  scheme  is  an  expression.  As  an  example,  abc-(tf-Kabc)  is  a 
name  scheme,  #Kabc  is  the  counter  corresponding  to  a  be,  and  (#Kabc)  is  the  rightmost  node  of  this  name 
scheme. 

(2)  Formation  rules: 
i)  Variables: 

General  variables  are  those  variables  whose  values  are  time  dependent.  We  distinguish  its  name  from  its 
value.  If  d\  is  a  name  whose  type  symbol  is  not  L  then  #3X  is  a  general  variable  Among  general  variables, 
there  is  one  kind  of  variable  whose  value  does  not  change  with  time.  We  call  them  basic  variables.  If  v  is  a 
name,  .v  is  a  basic  variable. 
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ii)  Constants: 

Constants  are  expressed  as  in  conventional  formal  languages.  Thus,  0,  1,  2,  ...  are  used  to  represent 
integers,  character  strings  are  quoted  with  double  quotation  marks,  T  and  F  are  used  to  represent  true  and 
false,  etc.  A  name  is  a  special  case  of  a  character  string  but  with  the  quotation  marks  omitted. 

iii)  Expressions: 

(1)  every  constant  of  type  I  or  C  is  an  expression. 

(2)  every  basic  variable  of  type  I  or  C  is  an  expression. 

(3)  every  name  scheme  is  an  expression  whose  value  is  a  name. 

(4)  if  e  is  an  expression  of  type  d,  where  3  is  I  or  C,  and  Q  is  an  unary  operator,  then  is  also  an  expression 
of  type  d. 

(5)  if  «i,  e2  are  expressions  of  type  d,  where  d  is  I  or  C,  and  ©  is  a  binary  operation,  then  (ei  ©  e2)  is  also 
an  expression  of  type  d. 

(6)  if  e  is  an  expression  then  oe  is  an  expression. 

iv)  Logical  formulas: 

(1)  any  general  variable  or  basic  variable  of  type  B  is  a  logical  formula. 

(2)  if  ei  and  e2  are  two  expressions  both  of  type  1  or  C,  then  ei  =  e2  is  a  logical  formula  called  an  equation. 

(3)  there  are  some  special  formulas  denoted  by  special  names: 

(i)  T  and  F  are  logical  formulas  which  are  called  logical  constants. 

(ii)  A  type  symbol  without  a  root  and  an  index  following  it  is  called  an  allocational  formula.  Every 
allocational  formula  is  a  logical  formula.  Semantically,  allocational  formulas  are  equivalent  to  T, 
but  they  have  a  different  pragmatic  meaning  (which  is  beyond  what  we  are  going  to  formalize  in 
our  system).  They  are  introduced  into  the  system  in  order  to  omit  the  type  symbols  in  the  names 
of  the  variables. 

(4)  if  P,  Q,  and  R  are  logical  formulas,  then  so  are  -<P,  P  V  Q,  P  A  Q,  P  D  Q,  P  =  Q,  and  IF  P  THEN 
<9  ELSE  R. 

(5)  if  P  is  a  logical  formula,  and  x  is  the  name  of  a  variable  of  type  I  or  C,  then  Vi P  and  3 xP  are  logical 
formulas. 

(6)  if  P  is  a  logical  formula,  then  □(/’),  O(P),  and  o (P)  are  logical  formulas.  (These  three  operators  are 
read  as  necessary ,  possible, and  nexttime  respectively). 

(7)  if  P  and  Q  are  logical  formulas,  then  (P)U(Q)  is  also  a  logical  formula.  (It  is  read  as  until.)  [8]. 

Among  the  equations,  there  are  some  special  forms: 

(1)  An  equation  of  the  form  o#x  =  e  (or  e  =  o#x)  is  called  an  assignment  equation  if  there  is  no  o 
occurring  in  the  expression  c  and  # x  is  a  general  variable  Here  o#x  is  called  the  next-time  side  and  e 
the  present-time  side  of  the  equation. 

(2)  There  is  a  special  general  variable  #lb  whose  value  is  always  a  name.  It  always  occurs  in  the  equation 

of  the  form:  if  lb  =  r  or  o#lb  =  e,  where  e  is  a  name  sc  It  is  used  to  express  the 

control  flow  of  the  whole  formula.  We  give  the  special  name  lb  equation  to  them.  (#lb  =  e  is  called  a 
present-time  lb  equation  and  o#)b  =  e  a  next-time  lb  equation).  There  is  a  special  form  o#]b  =  stop 
which  is  called  the  stop  equation.  Hereafter  we  abbreviate  IF  P  THEN  Q  ELSE  F  as  IF  P  THEN  Q. 

Logical  formulas  are  the  well-formed  formulas  in  our  system.  From  a  programming  point  of  view,  we 
have  a  special  interest  in  well-formed  formulas  of  the  form: 


□(Ai  VA2  V...V  A„) 


where  each  A„  i  =  1, . .  .,n  has  one  of  following  two  forms: 

(i)  (IF  #lb  =  e,  THEN  <Q,  A»  o  #lb  =  e;) 

(ii)  (IF  #lb  =  e,  THEN  (IF  P,  THEN  «9,,A»  o  #lb  =  e,,  ELSE  <QtJ A»  °  #lb  =  ej2  )) 

where  inplics  that  X  may  be  empty,  e,,  e;  are  names  or  name  schema.  No  lb  equations  are  allowed  to 

occur  in  P,,  Q,  and  no  allocational  formulas  are  allowed  to  occur  in  P,.  In  addition,  no  more  IF. . .  THEN.. . 
ELSE. . .  -form  coeiUtion  *1  statements  are  allowed  to  occur  in  P,  and  Q,.  A  formula  of  the  above 
form  satisfying  the  following  condition  is  called  a  program£t««  'frtne.  problem'  in 
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For  any  general  variable,  say  #5X,  an  equation  of  the  form  o#3X  =  e  is  called  an  updating 
equation,  It  has  a  special  case,  o#d\  =  #d\,  which  is  called  a  redundant  equation.  Let 
. ..,  #3mXm  be  all  the  general  variables  occurring  in  the  program.  Then  for  each  t  =  1 
the  Q ,,  or  Qtl  and  Q, 2  must  have  an  updating  equation  for  each  general  variable  as  a  conjunctive 
component.  Redundant  equations  can  be  omitted. 

We  always  express  the  program  in  another,  more  readable,  form: 

(1)  we  express  (i)  as  “#!b  =  e  =>  <&Q, A»  °  #lb  =  e,-.” 

(2)  we  express  (ii)  as  “#lb  =  e  A  P,  =>  <Q1(A>  0  #lb  =  eJt  ;  #lb  =  e  A  -•P,  =»  <Q, 2A»  0  #/6  =  ej2.” 

(3)  We  change  the  outermost  parentheses  of  the  program  into  square  brackets. 

A  program  is  changed  into  the  form:  0[Ri  =»  51;  . . . ;  Rn  =»  Sn).  Each  R,  =>  5,  is  called  a  conditional 

element.  A  program  is  regular  if  for  any  the  next- time  lb  equation  o#lb  =  e;  occurs,  then  there  must 

be  a  /  (1  <  l  <  n)  such  that  the  present-time  lb  equation  #lb  =  e}  occurs  in  Rt .  We  consider  only  regular 
programs. 

Also  for  readability,  we  divide  a  program  into  several  blocks  by  using  square  brackets  to  group  conditional 
elements.  A  block  symbol  appears  before  the  brackets.  These  block  symbols  are  used  to  indicate  the  access 
rights  for  those  names  declared  (t.e.  occurring  in  a  present-time  lb  equation)  in  the  block.  There  are  five 
kinds  of  blocks: 

(1)  %t[. .  ,\  is  used  to  group  the  declaration  of  input  basic  variables.  The  variables  in  it  must  have  initial 
values  and  these  values  cannot  be  changed  within  the  program. 

(2)  %o\. . .)  is  used  to  group  the  declaration  of  output  basic  variables.  The  variables  declared  in  it  must 
have  a  value  which  can  be  accessed  outside  the  program. 

(3)  %io\. . .]  it  is  used  to  group  the  declaration  of  input-output  general  variables.  The  variables  declared 
in  it  must  have  initial  values,  but  their  values  can  also  be  changed  within  the  program  and  accessed 
outside  the  program. 

(4)  %v\. . .]  is  used  to  group  the  declaration  of  local  general  variables. 

(5)  %a[. . .]  is  used  to  group  the  algorithm. 

The  syntax  of  an  F,0  program  can  be  described  as 

<E0  prog>  ;:=  □[  <%i  part>  <Xo  part>  <%io  part>  <%v  part>  <%a  part>  ] 

<%X  part>::=<7.X  block>  |  <empty> 

X  represents  i,  o,  io,  v,  or  a. 

<%X  block>  ::=  %<X>[<condi tiona 1  element  seq>]; 

<X>  ::=i|o|  io|v|a 

■(conditional  element  seq>  ; ; ^(conditional  element>  | 

(conditional  element  seq> ;(Condi tional  element> 

(conditional  element> 

(present  lb  eqxcond  part>  =»  (act  partxnext  lb  eq>: 

(present  lb  eq>  #lb  —  <name  sc heme> 

(next  lb  eq>  o(present  lb  eq> 

(Cond  part>  : : »  A (logical  formula>  |  (empty> 

(act  part>  (logical  formula>A  |  (empty> 

Example  1:  The  integral  square  root  of  a  given  non-negative  integer. 

The  flowchart  for  this  problem  is  shown  in  Figure  1. 

By  following  the  steps  shown  in  the  flowchart,  we  obtain  a  XYZ/EO  program.  We  change  the  assignments 
into  assignment  equations  and  use  lb  equations  to  express  the  flow  of  control: 


□  [  #lb  =  sqrt  =t  o#lb  =  Im\ 

Xt[  #lb  =  !m=>/A°#lb  =  ln  ]; 

%o[  #lb  =  In  =»  I  A°#lb  =  Ik  ]; 

*„[  #lb  =  /Jfc=>/Ao#lb  =  /p; 

#lb  =  /p=>/A°#lb  =  ll  ]; 

%a[  #lb  =  U=»o#/Jfc  =  0Ao#/p=lA°#lb  =  12; 

#  1  b  =  12  A  #/p  >  ./m  =>  o#  1  b  =  14 ; 

#  1  b  =  12  A  #/p  <  ,/m  =>  o#  1  b  =  13 ; 

#lb  =  13  =»  o#/p  =  #/p  +  2*#/fc  +  3  A  o#/fc  =  #/fc  +  1  A  °#lb  =  12 ; 

#  1  b  =  14  =»  .In  =  #/fc  A  o#  1  b  =  »top  ]  ] 


We  have  included  the  type  symbols  in  this  example.  We  will  omit  them  in  future  examples. 


Example  2:  Binary  search  in  an  array  of  integers.  We  search  for  the  integer  stored  in  .obj.  The  flowchart 
is  Figure  2,  and  the  XYZ/EO  program  follows. 


□  [#1  b  =  binary  search  =*  o#lb  =  Kar; 

%t[#  lb  =  K  ar  =»/A°#lb  =  dpt ; 

#  1  b  =  dpt  =>  /  A  °#  1  b  =  11 ;  ( 

#lb  =  11  =>  0#/f or  =  1  Ao#lb  =  or; 

#lb  =  ar  A  #Kar  <  .dpt  =>  o#1b  =  arJJ^Kar)', 

#lb  =  ar_(#/Car)  =>  /  A  o#lb  =  12; 

#lb  =  arA#ffar  >  .dpt  =>  o#  1  b  =  obj ; 

#lb  =  12  =>  o #Kar  =  #Kar  +  1  A  °#lb  =  ar\ 

#  1  b  =  obj  =»  f  A  °#  1  b  =  place] ;  j 

Xo[#  1  b  =  place  =>  1  A  o#  1  b  =  low] ;  i 

Xti(#  1  b  =  low  =>  I  A  o#  1  b  =  /it'yA ; 

#  1  b  =  hiffh  =»  /  A  o#  1  b  =  mtd ;  ] 

#  lb  =  mid  =*  /  A  o# lb  =  13] ;  i 

Xa[#lb  =  13  =>  o#lotu  =  1  A  ofthigh  =  .dpt  +  1  A  °#lb  =  14;  1 

#1  b  =  <4  A  #lotu  <  =»  o^mid  =  [{#low  +  #htjh)/2]  A  o#lb  =  15 ; 

#lb  =  <4  A  #low  >  #high  =»  °#lb  =  <6; 

#lb  =  15  A  obj  >  .ar_(#/Car)  =»  o#low  =  #mtd-(-  1  A  o#1b  =  14; 

#lb  =  <5  A  obj  <  .ar_(#7Tar)  =»  ofthigh  =  #m»d  A  °#  1  b  =  <4;  j 

#lb  =  16  A  .o6j  =  .ar-(if  high)  =»  .place  =  #high  A  o#l b  =  17 ;  ] 

#  lb  =  16  A  obj  ^  ,ar_{#high)  =»  .place  =  0  A  °#  1  b  =  17  ;  * 

#lb  =  17  =»  o#1b  =  stop]]  * 


i 
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Figure  2 


XYZ/E  uses  the  same  control  structure  for  variable  declarations  and  algorithms.  In  a  compiler  system,  they 
are  realised  at  different  times;  for  an  interpretive  system,  both  are  elaborated  at  the  same  time. 

There  are  too  many  occurrences  of  lb  equations  in  an  XYZ/E  program.  It  is  easy  to  see  that  there  are 
ways  to  simplify  the  representation.  The  result  of  this  simplification  is  the  external  form  of  the  language. 

(1)  Within  each  conditional  element,  the  rightmost  (next)  lb  equation  "o#lb  =  c?X”  is  abbreviated  as  "f 

ax*. 

(2)  Within  each  conditional  element,  the  leftmost  (present)  lb  equation  "#lb  —  d\"  is  abbreviated  as 
-ax  If  there  is  no  formula  between  this  leftmost  lb  equation  and  the  then  the  "=*"  sign  can 
be  omitted. 
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(3)  For  any  rightmost  lb  equation,  if  the  name  in  it  is  the  name  occurring  in  the  leftmost  lb  equation  of 
next  conditional  element,  then  this  rightmost  lb  equation  can  be  omitted;  if  after  the  omission,  the 
conditional  element  becomes  a  formula  of  the  form  “3X  =»;”  or  “<9X  then  the  semicolon  can  be 
omitted. 

(4)  For  any  sequence  of  formulas  after  the  above  abbreviation,  say  “Aj;  A„",  if  they  do  not  contain 

the  symbol  and  all  except  the  last  do  not  contain  formula  of  the  form  z”,  then  they  can  be 

grouped  by  a  pair  of  square  brackets. 

(5)  For  any  leftmost  lb  equation  “dX  if  no  rightmost  lb  equation  except  its  immediate  predecessor  has 
its  name  occurring  in  its  right  side,  then  the  “<9X  or  "#lb  =  d\”  together  with  a  “A”  sign  occurring 
in  its  right  side  can  be  omitted,  unless  this  lb  equation  occurs  more  than  once. 

(6)  If  two  conditional  elements  have  the  same  leftmost  lb  equation,  but  have  contradictory  conditions  on 

the  left  of  the  sign  i.e.  they  have  the  form:  “3X  :  P  =>  Qt;  d\  :  ->P  =>  Q2;”  the  second  leftmost 

label  can  always  be  omitted. 

(7)  Any  formula  of  the  form  “X  :  P  =»  Q  =»  R”  can  be  abbreviated  as  “X  :  P  A  Q  =»  R";  Similarly, 
“X  :  P  =»  Q  =»  R( ;  -’Q  ri  R2;"  can  be  abbreviated  as  “X  :  P  A  Q  =>  Ri ;  P  A  ->Q  =»  R2;”. 

(8)  For  each  vector  z,  we  always  assume  that  there  is  a  counter  (i.e.  a  general  variable  of  type  1)  defined 
together  with  it;  its  name  always  starts  with  a  capital  K  and  is  followed  by  the  name  of  this  vector. 
This  kind  of  counter  is  always  initialized  with  the  value  1. 

(9)  The  type  symbol  of  a  name  is  omitted. 

All  these  abbreviations  can  be  easily  restored  mechanically.  With  these  abbreviations,  the  Examples  1 

and  2  above  become: 

Example  1  (cont.) 

□[  sqrt  : 

%i[m  :  /]; 

%o[n  :  /]; 

%v\ k  :  /; 

P  :  /]; 

%a[o#k  ---  0  A  o#p  =  1; 

12  :  #p  >  .m  <4 ; 

#p  <  m  =»  o#p  =  #p  +  2*#k  +  3A»#t  =  +  1A  t  i2 ; 

14  :  .n  =  \  »top]| 

Example  2  (cont.) 

□[  bi narysearch : 

%t(dpl  :  /; 

ar  :  # K ar  <  .dpt  -=>  [ ar_(#Kar )  :  /;  o #Kar  =  #Kar+  1A  T  ar\  \ 
ifKar  >  .dpt  obj  :  /] ; 

%o\place  :  /); 

%u[lou>  :  /; 
high  :  /; 
mtd  :  /); 

%a\°#low  =  1  A  o #high  =  .dpt  +  1 1 

1 4  :  #low  <  #high  =*  o#mtd  =  j(#iow  -f-  #htgh)/2}A  t  15  ; 

#lotu  >  #high  =»T  16: 

15  :  .06;  >  ,arj(#Kar)  =»  oftlow  =  #mid  -f  1A  [  14; 

■  obj  <  .a.r_{#Kar)  =>  ofthigh  —  ftmidA  T  14; 

16  :  .obj  =  .arj^fthxgh)  .place  =  fthighA  t  17  ; 

obj  ,ar_(#high)  =*  .place  =  OA  T  17  I 

17  :f  stop]] 
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3.  XYZ/E1. 

XYZ/'EO  introduced  above  is  confined  in  the  framework  of  flowchart  structure,  and  thus  cannot  express 
subroutine  calls,  especially  recursive  ones.  This  can  only  be  done  in  a  higher  |uy«r  super-control  structure. 
This  constitutes  the  basic  novelty  of  XYZ/E1.  XYZ/E1  is  extented  from  XYZ/EO  with  following  new 
features: 

A  general  variable  of  type  stack  is  denoted  by  a  name  whose  type  symbol  is  S  concatenated  with  the  type 
syinbc!  of  its  elements.  The  alloeational  formula  for  stack  is  "S<elementtype>",  where  <elementtype>  is 
the  alloeational  formula  of  its  elements. 

There  arc  several  operations  that  can  be  performed  on  a  stack,  e.g.  "push(< stack> , <element>)”, 
"pop( < stack  >)" ,  "top( < stack > )”,  and  “depth(<stack>)”.  These  operations  are  defined  by  well-known 
axioms. 

We  also  introduce  the  concept  of  procedure  and  function  modules.  For  XYZ/E,  we  add  the  following 
extentions: 

<E1  prog>::=d[  <main>  cmodule  part>  ] 

<main>::=  <%i  part>  <%o  part>  <%io  part>  <%v  part>  <%a  part> 

Now  “<main>”  is  just  as  in  "<E0  prog>’’and  no  more  illustration  is  needed. 

<module  part>  ::=  ;<module  seq>  |  <empty> 

<module  seq>  ::=<module>  |  <modu1e  seq>;  <module> 

<module>  :  :  =  <module  symbol>[  cmodule  main>  <module  part>  ] 

<module  symbo1>  :  :  =  @p  |  Sf  |  ... 

cmodule  main>  ::  =  <%i  part>  <Zo  part>  <%io  part>  <%v  part>  <%a  part> 

We  introduce  two  kinds  of  modules:  One,  with  “%p”  as  its  module  symbol,  we  call  procedure;  the  other, 
with  “/of’  as  its  module  symbol,  is  called  function.  For  the  external  form  of  these  two  kinds  of  modules, 
we  adopt  the  convention  that  the  part",  “ %o  part",  and  “%io  part”  of  these  modules  are  moved  to  the 
position  following  the  name  of  the  module  and  grouped  by  parenthesis  as  a  parameter  part,  as  in  conventional 
languages.  In  order  to  distinguish  among  these  three  different  parts,  the  block  symbols  ,  “%o"  and 

"/cio"  are  put  before  their  corresponding  group  of  variables.  For  functions,  the  output  variable  will  always 
be  unique  and  have  a  name  beginning  with  F  and  followed  by  its  module  name. 

Example  1  becomes: 

%f[sqrt(%im  :  1\  %oFsqrt  :  I)  : 

%v\k  :  /, 

P  :  f  ji 

%a{.  .  .]) 

The  internal  form  of  the  procedure  and  function  calls  are  exactly  what  one  would  do  in  a  compiler 
written  in  assembly  languages:  There  is  a  slack  ff  SCreturn  together  with  its  counter  ffK  return.  To 
call  a  procedure  clX,  we  first  assign  the  values  of  the  input  and  mput-output  actual  parameters  to  their 
corresponding  formal  parameters,  and  then  push  the  name  of  the  next  conditional  element  onto  the  stack. 
We  goto  the  label  d\  (i.e.  o//lb  —  <5X).  Upon  completion,  we  pop  the  top  label  into  a  pointer  and  then 
goto  the  position  corresponding  to  the  content  of  that  pointer.  It  is  then  necessary  to  assign  all  output  and 
input-output  formal  parameters  values  corresponding  their  actual  correspondents.  Of  course,  this  internal 
form  is  unreadable,  so  an  external  form  is  necessary. 

In  the  external  form,  to  call  procedure  d\(. . we  say  “T  9X(-,  where  ate  the  actual 

parameters.  To  call  a  function  dX(%i...;  %oFd\  :  d)  we  say  “#Fd\(-,-,-)” ,  where  are  the 

actual  parameters  which  correspond  to  the  %i  part  of  the  formal  parameters.  Thus  to  apply  the  function 
sqrt  to  the  integer  ‘16’  we  would  say  "#Fsqrt(16). 
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4.  XYZ/E2. 

XYZ/E2  is  the  layer  that  has  the  super  structure  which  can  be  used  to  express  concurrency  and 
nondeterminancy  (14j. 

The  new  allocational  formula  for  Petri  Net  is  “N”.  A  general  variable  of  type  N  is  also  accompanied  by 
variables  of  type  I,  which  are  called  places. 

There  are  also  two  new  special  operators  from  the  domain  of  transition  variables  to  {T,  F}: 

(1)  isfired(#JVX) 

(2)  isenabled(#/|/X) 

Each  Petri  net  must  obey  the  following  axioms': 

VArX(t5/tred(o#ArX)  D  isenablcd(#N\))  A 
3N\(iscna.bled(#N\))  D  3N\'(i$f  ired(o#N\’))  A 
VArXVNX’(#WX  jL  #NX-  D  -(ts/trcd(# N\)  A  ts/tred(#NX'))) 
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Example  3:  The  well-known  stnd-rcctivc  problem  is  shown  in  Figure  i,  We  assume  that  the  buffer  is  circular 
and  that  only  one  integer  is  to  be  sent  or  received  each  time.  Modelling  this  problem  with  a  Petri  net,  we 
get  a  net  of  the  form  in  Figure  4  where  vi  and  V;  model  the  sender,  v4  and  t»s  the  receiver,  and  t/3  is  the 
buffer  which  is  ifc-bounded.  When  the  sum  (called  tokens)  is  more  than  fc,  the  transition  object  is  suspended. 

The  program  corresponding  to  Figure  4  is  as  follows: 


□  \sendreceive  : 

%v\vt  :  l\ 
vs  :  /; 
u3  :  /; 

:  /; 

«s  :  f; 
v6:7V; 
w  :N; 

vf-N- 
v,  :  N); 

%a\n  :  #u,  >  0  =*  i  senabl  ed(o#v6)A  T  n; 

n  :  i  sf  i  red(#DC)  =»  o#vx  =  —  1  A  °#v2  =  #u2  -f  1A  T 

n  :  #U2  >  0  A  #v3  <  k  =>  i  senabl  ed(o#v7)A  1  n; 
n  :  #v2  >  0  A  #v3  >  k  =>t  n; 
n  :  i s f  i  red(#v7)  =» 

o#u2  =  #u2  —  1  A  °#vi  -  #t»i  -f  1  A  °#t>3  —  #v3  +  1A  T 
n  .  #v3  >  0  A  >  0  =>  i  senabl ed(o#v8)A  1  n; 
n  :  isf  i  red(#v8)  =» 

o#u4  =  #0,  —  1  A  °#v3  =  #t>3  —  1  A  o#Vi  —  #vs  +  1A  T  n> 
n  :  #v5  >  0  =»  isenabled(o#v9)A  T  n; 

n  :  i  Sf  i  red(#v9)  =>  °irVh  =  #v5  —  1  A  °#v4  =  #u4  +  1A  T  n]J 

Example  4:  The  dining  philolophers  problem:  For  j  —  1, . . . ,  5,  tiji  =  1  means  the  ylh  philosopher  holds 
at  least  one  of  his  forks.  v)2  =  1  means  the  ;th  fork  is  held  by  the  philosopher  of  its  some  side;  vj6  =  1 
represents  the  jlh  philosopher  is  eating.  The  Petri  net  describing  this  problem  is  shown  in  Figure  5,  and  the 
£.  XYZ/E2  program  follows. 

□  [phtlosophers  : 

S 12  :  T; 

j-  vi3  :  N i 

!  «14  -l\ 

i  v,5:W; 

eis ;  J; 
vn  :  N-, 

...similarly  for  philosophers  2,. ..,5 


l 


T 


L 


%a[n  :  #pn  >  0  A  #/i2  >  0  =>  isenabled(o#P,3)A  t  n; 
n  :  isf  i  red(#v13)  =» 

°#t>u  =  #t>n  +  1A  o#pu  =  #pu  —  1  A  o#/u  =  #/12  —  1A  t  «; 
n  :  #d,4  >  0  A  #/22  >  0  =»  i  senab  1  ed(o#v,5)A  t  r>; 
n  :  isf  i  red(#t>15)  => 

°#«16  =  #*!«  +  1  A  °#t>u  =  —  1  A  °#/22  =  #/22  —  1A  T  n; 

n  :  #e)6  >  0  =>  i  senabl  ed(o#ui7)A  t  n; 
n  :  isf  i  red(#t)i7)  =» 

°#Pn  =  #Pu  +  1  A  o#/,2  =  #/i2  -f- 1 
A°#/22  =  #/22  +  1  A  °#«16  =  #e16  —  1A  t  n> 

...similarly  for  philosophers  2,. ..,5 

One  often  runs  into  problems  when  using  a  Petri  net  to  represent  a  concurrent  program  exactly  since 
some  properties  may  not  be  explicitly  expressed.  In  Example  4,  we  must  require  that  no  two  philosophers 

can  hold  a  fork  at  the  same  time,  and  no  philosopher  can  hold  a  fork  not  at  his  side.  There  is  no  problem 

in  expressing  these  conditions  in  XYZ/E,  since  we  can  always  supplement  the  program  with  a  formula  to 
express  these  conditions.  For  example,  we  need  to  supplement  the  dining  philosophers  program  with  the 
following  formula: 

V/(l  <  j  <  5)(#/j2  =  1  D  3*(1  <  k  <  5)HOLD(#Pku#f]2))A 

Vj(l  <  j  <  5)(#PjI  =  1  D  3*(1  <  k  <  5)IJOLD(#pJl,  # /* 2 ))  A 

Vj,k(l  <j,k<  5)( // OLD(#p} , ,  #/i2)  D  (3  =  kV  IFj  ^  iTHENk  =  j  +  \ELSEk  =  1))  A 

V>,  *(  1  <  j,*  <  5  )(HOLD(#PjU#fki)  D  (#PjI  =1  A  #/*2  =  1)  A 

Vj,*(l  <  j,k  <  5)(ffOLD(#p3,,#/*2)  D  -3m(l  <  m  <  5)(m  ^  /  A  HOLD(#pml,  #/*2))) 
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5.  Axiomatization  and  Verification. 

The  axiomatic  system  of  XYZ/E  contains  the  following  parts: 

(1)  the  axioms  of  predicate  calculus; 

(2)  the  axioms  for  the  modal  operators  □,  O,  and  U; 

(3)  the  axioms  for  integers  and  characters. 

These  are  easy  to  find  in  the  literatures. 

(4)  We  need  a  new  set  of  axioms  for  the  next-time  operator  o,  since  we  lay  emphasis  on  the  commutativity 
and  distributivity  of  o  with  other  operators  in  the  system.  These  new  axioms  are  as  follows: 

(i)  For  any  logical  formula  A  and  any  unary  predicate  operation  d  £  {->,  Vx,  3x,  □,  O},  ad  A  =  d  o  A. 

(ii)  For  any  logical  formulas  A  and  B  and  binary  predicate  operation  d  £  {A,  V,  D,  =,U},  o\AdB\  = 
[oAdoB], 

(iii)  For  any  expression  e  and  unary  expresional  operation  £  {-j-, — },  ode  =  dot. 

(iv  )  For  any  name  scheme  o_/?  where  /3  is  its  rightmost  node,  oa_/3  =  q_o  /?. 

(v)  For  any  expressions  t\  and  e2  and  relational  connective  d  £  {=,  <,  o(e,3e2)  =  (oei3oe2). 

(vi)  For  any  expression  ei  and  e2  and  binary  operation  d  £  — ,  * ,  /} ,  o(eide2)  =  (oe|doe2). 

(vii)  For  any  basic  variables  .y,  o.y  —  .y. 

(viii)  For  any  constant  c,  o c  —  c. 

(ix)  For  any  logical  formula  A,  DA  3  o A. 

By  means  of  these  axioms  we  can  always  move  o’s  inward  until  all  are  located  in  front  of  general  variables. 
XYZ/E1  and  XYZ/E2  have  additional  axioms  for  stacks  and  transition  types.  Those  for  transition  have  been 
enumerated  in  section  4,  while  the  axioms  for  stacks  are  well  known. 

This  modal  logic  system  can  be  easily  reduced  to  the  first  order  logic  system.  It  has  been  shown  [10] 
that  for  any  w,  □  w  corresponds  to  Vtui,  and  O  w  to  3tw.  Also,  every  general  variable  of  the  form  #3xX  can 
be  expressed  in  first  order  logic  by  Apply(3rrX,  t)  where  Apply  is  a  predicate  defined  by  each  given  program, 
and  ok#dn\  is  expressed  by  Apply(d7rX,t  +  k).  tuj Uwq  corresponds  to  following  formula: 

Vti  3*2(<i  <  t2  A  Apply(w2,  t2) 

A  Vt 3 ( f i  <  t3  <  t2  D  Apply(wi,t3))). 

Feng  [4]  has  established  the  Hoare-type  proof  rules  for  XYZ/E.  Like  Lucid,  XYZ/E  can  also  be  used  to 
do  mathematical  proofs  directly  as  a  logic  system. 

Since  every  program  in  XYZ/E  is  a  well-formed  logic  formula,  it  can  be  used  directly  as  the  local  axiom 
for  proving  any  property  from  it.  Thus,  in  Example  1,  to  prove  its  correctness,  we  need  prove  that  if  we 
start  with  a  positive  integer  #m,  that  lb  =  stop  A  #n2  <  <  (#n  +  l)2  is  provable.  We  only  need  to 

prove: 

#lb  =  sqrt  A  EX1  A  #m  >030  [#lb  =  stop  A  #n2  <  #m  A  #m  <  (#n  +  l)2] 

where  EXl  represents  the  program  in  Example  1.  Similarly,  to  prove  the  invariant  of  the  loop  starting  at 
12,  we  need  only  prove: 

#lb  =  sqrt  A  EXl  A  >  0  D  Oj#lb  =  12  D  #p  =  #fc2]. 

One  of  the  interesting  aspects  of  XYZ/E  in  its  application  to  verification  is  that  invariant  properties 
which  can  only  be  expressed  by  introducing  so-called  ghost  variables  and  passive  statements  [8]  in  other 
logic  systems  can  be  expressed  directly  in  XYZ/E.  Take  Example  2  in  section  2.  As  pointed  out  in  [8],  the 
invariant  corresponding  to  the  loop  from  14  to  16  is  expressed  as: 


high  —  low  is  strictly  decreasing.  If  the  object  .obj  is  in  the  ordered  array  .or,  then  one  of 
its  positions  is  between  low  and  high. 


Now  to  formalise  it  as  [8]: 
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'A  is  ordered  between  1  and  N"  is  expressed  as 


ORDERED(A,  1,  N)  =s  Vz(l  <  i  <  N  D  A_( x)  <  A-(z  -f  1)) 

“B  is  in  the  interval  (L,  R )  of  A/  is  expressed  as 

ISINTERVAL(B,  A,  L,  R)  ~  3 x{L  <  x  <  R  A  A_(z)  =  B) 

So  the  last  part  of  the  invariant  can  be  expressed  as 

ORDERED(.ar,\,.dpt)h 

{ISlNTERVAL(.ob) ,  .or,  1,  .dpt)  D  ISINTERVAL{.obj,  .or,  # low,  H high)) 

How  do  we  express  the  first  sentence  of  the  invariant?  In  a  logic  system  which  has  no  explicit  method  of 
expressing  state  transitions,  we  would  have  to  add  an  extra  ghost  variable  and  an  extra  passive  statements 
into  the  algorithm  and  the  assertion  as  [8]  suggests.  In  [8],  the  ghost  variable  is  C,  and  the  passive  statements 
added  to  the  positions  corresponding  to  13  and  14  respectively  are  “C  :=  N  +  1”  and  “C  ( high  —  low)"-, 
the  first  sentence  of  the  invariant'expressed  in  [8]  is  “low  <  high  E)  ( high  —  low )  <  C” ■  No  extra  variables 
or  sentences  are  needed  to  express  this  sentence  in  XYZ/E.  We  can  express  this  sentence  as 

□(#/oui  <  it  high  E>  {ptthigh  —  o  #fou>)  <  (#high—  #low)). 

As  is  well  known  [5],  the  modal  logic  system  with  operators  [3,0,0  and  U  can  express  not  only  the 
properties  of  sequential  programs,  but  also  many  of  the  significant  properties  of  concurrent  and  nondeter- 
ministic  programs  In  Example  4,  if  each  philosopher  holds  his  left-hand  fork,  then  they  would  all  suffer 
from  starvation  (i  e.  deadlock).  In  order  to  express  this  property,  let  Q  represent  the  formula  concerning 
HOLD  given  at  the  end  of  the  last  section,  and  let  the  program  in  Example  4  be  represented  by  P.  The 
deadlock  property  of  Example  4  can  be  represented  as  follows: 

PA<?  AV;,k(l  <  j,  k  <  5)(#Pji  =  1  A  #/*2  =  1)30  Vm(l  <  m  <  5)(#em6  =  0)) 

However,  if  some  philosopher  does  not  hold  any  fork  but  all  the  forks  are  held,  then  at  least  one 
philosopher  can  eat  sometime.  This  property  can  be  expressed  as  follows: 

P  A  <?(1  <  m  <  5)(#p,„i  =  0  A  Vj(l  <]<  5)(#/r,  «  1  A  OV  "O  #Pji  "=  l)) 

D  3*(I  <fc<5A*^mAO#e:k6  =  1)). 

Since  in  the  nondeterminate  case,  the  time  is  in  branching  order,  the  operators  □,  O  differ  in  meaning 
from  when  used  in  linear  time  order.  There  are  many  different  ways  to  deal  with  the  modal  operators  in  the 
non-deterministic  case: 

(1)  To  explain  the  operator  □  as  "for  all  pathes  and  for  all  time  nodes”,  and  O  as  “there  exists  a  path  and 
there  exists  a  time  node”.  In  this  explanation,  the  system  built  above  is  applicable,  but  there  are  some 
properties  unexpressible  in  this  system.  We  lack  operators  to  express  “for  each  path  there  exists  a  time 
node”  and  "there  exists  a  path  for  all  time  nodes”.  Consequently,  is  this  system,  not  all  properties  of 
non-determinate  programs  arc  expressible. 

(2)  Another  choice  is  to  use  the  system  given  in  [3] .  The  six  modal  operators  are  VC,  3(7,  VF,  3 F,  VJf, 
37C.  They  correspond  to  "for  all  paths  and  all  time  nodes  on  it”,  "there  exists  a  path  for  all  time  node 
on  it”,  “for  all  paths  there  exists  a  time  node  on  it”,  “there  exists  a  path  and  a  time  node  on  it”,  “for 
each  path,  the  next  node  on  it”,  and  “there  exists  a  path, the  next  node  on  it”  respectively. 

This  system  of  symbolism  looks  too  novel  and  differs  too  much  from  the  customary  modal  logic  system 
given  above.  It  would  be  more  dcsireable  to  be  able  to  express  all  the  properties  expressible  by  these  six 
operators,  but  remain  within  the  framework  of  the  modal  logic  and  first-order  theory.  Thus  we  instead  do 
the  following: 


w 
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(3)  Since  we  discuss  nondcterminate  properties  on  the  basis  of  Petri  nets  which  are  expressed  by  XYZ/E2 

programs,  we  define  the  concept  of  path  in  terms  of  XYZ/E2  constructs.  To  express  this  fact  more  , 

explicitly,  we  use  first-order  symbolisms  instead  of  modal  theoretic  ones,  i.e.  we  use  App!y(3X,  t),  I 

Apply(d\,  t  +  1),  Vt,  3t  instead  of  #dX,  o#dX,  □,  O  respectively.  Let  P  be  the  XYZ/E2  program  given, 

vni,...,vnm  are  transition  variables  occurring  in  P  and  nl,...,nm  are  different  integers  to  represent  i 

the  indices  of  these  variables.  Let  q  be  an  integer  different  from  n  1, . . . ,  nm.  Then  the  definition  of  path 

variable  x  can  be  given  as  below:  ! 

P  D  Vt(Vj(l  <  j  <  m)(isfired(Apply(vnj ,  t))  J  Appl y(x,t)  =  nj)  j 

A  ->3j(l  <  j  <  m)isfired(Apply(unJ,  t))  D  Apply(i,  t)  =  q)  i 

Call  this  formula  D(P,  x).  To  make  use  of  this  formula  and  quantification  over  x  and  f,  the  six  cases 
shown  above  can  be  easily  expressed. 

The  deadlock  property  of  Example  4  can  be  expressed  as: 

P  A  Q  A  Vj,  k(\  <  j,  k  <  5)(Apply(pj  i ,  t)  =  1  A  Apply(/k2,  t)  =  1) 

D  Vi VtVg(g£  {15,  25,  35, 45,  55})(D(P,  x)  J  Apply (x,t)  ^  9))) 

We  can  similarly  express  the  eating  property  as: 

...  D  3x3t3g(ge  {15,  25,35, 45 »( D(P,  x)  A  Apply(i,  t)  =  ?))) 

Obviously,  we  are  still  within  the  framework  of  first  order  theory,  a  fact  indeed  beyond  our  imagination. 

All  the  expression  above  can  also  be  expressed  with  modal  theoretic  symbolism.  So  the  modal-logic  system 
given  in  this  paper  can  be  used  not  only  to  express  nondcterminate  programs  but  also  to  express  all  sorts 
properties  required  in  [3], 
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6.  Two  Level  Formal  Semantic*  and  Semantics-directed  Compilation. 

Since  XYZ/E  is  an  assembly-like  language,  it  can  serve  as  the  target  language  for  the  compiler  of  any 
higher-level  language.  Yet  XYZ/E  is  also  a  logic  system  and  its  denotational  formal  semantics  is  well  defined, 
so  the  compiler  of  the  given  higher- level  language  can  be  taken  as  the  formal  semantics  of  the  given  language. 
This  is  a  natural  way  to  treate  formal  semantics,  it  makes  formal  semantics  closely  related  with  compiler, 
and  seems  to  give  a  satisfactory  solution  to  the  problem. 

As  an  example,  we  first  give  a  simple  language  Sample  as  follows: 

<program>  ::-  <name>(IN  <decl  seq>;  OUT  <dec1  seq>; 

INOUT  <decl  seq>)<prog  body> 

<prog  body>  BEGIN  <dec!  seq>  END;  <state>. 

<decl  seq>  <decl>  |  <decl  seq> ; <dec1> 

<state  seq>  : : =  <state>  |  <state  seq>;<state> 

<decl>  ::=  <name> : <type> 

<type>  ::=  <e1em  type>  |  <pointer>  |  <array>  |  <record> 

<elem  type>  ::=  INT  |  CHARS  |  BOOL 
<pointer>  ::  =  f<type> 

<array>  ARRAY  (expression)  OF  <type>  END 

<record>  ::-  RECORD  <decl  seq>  END 

<state>  :  :  =  <assign>  |  <compound>  |  <conditional>  | 

<whi1e  state>  |  <goto>  |  <name> ; <state> 

<assign>  :  :  =<name><-<expression> 

<compound>  ::=BEGIN  <state  seq>  END 

<conditional>  ::  =  IF  <bool  expression>  THEN  <state>  ELSE  <state> 

<while  state>  WHILE  cbool  expression>  DO  <state>  END 
<goto>  ::=  GOTO  <name> 


The  transformation  from  Sample  to  XYZ/E  consists  of  two  major  steps: 


(1)  Name  normalization:  The  naming  system  in  XYZ/E  has  been  elaborated  in  Section  1.  This  system  does 
not  differ  significantly  from  those  used  in  high-lever  languages  except  for  the  following  points: 

(i)  Each  name  has  a  type  part.  Since  it  can  always  be  restored  by  syntactical  analysis,  we  omit  it  in 
following  discussions. 

(ii)  The  labels  of  the  subfields  of  record  are  always  concatenated  with  the  label  of  the  record. 

(iii)  The  component  of  an  array  (or  the  body  of  a  loop)  is  labelled  with  a  name  scheme  which  is  formed 
by  the  name  of  that  array  (or  loop)  tagged  with  a  node  formed  by  the  corresponding  counter  braced 
with  parenthesis,  t.  e.: 


i 


X:  ARRAY(<expreession)  OF  X_(#KX) :<type>  END 
X:  RECORD  X_nl : <type>l ; . .  .  ;  X_nk:<type>k  END 


(2)  The  following  are  the  equations  which  transform  Sample  into  XYZ/E.  In  these  equations,  0  represents 
the  semantic  mapping.  The  English  construct  “if  -  then  -  elseif  -  then  -  else  is  used  as  a  metalanguage 
to  express  case  situations.  There  are  other  phrases,  such  as  "it  begins  with”  which  is  used  to  express  the 

leftmost  symbol  or  symbol  string,  and  “<  ...  >  is - ”  which  is  used  to  identify  the  kind  of  <  ...  >. 

means  the  left  side  of  it  can  be  replaced  by  its  right  side.  In  order  to  bn  more  readable,  we  choose 
the  external  form  of  XYZ/E  to  represent  the  semantics.  Of  course  it  can  be  changed  into  the  internal 
form  easily.  We  call  these  kind  of  semantics  equations  0  equations. 
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/3(<program>)  /?(  <name>(IN  xll : <type>l 1 ; . . . ; xlk : <type>lk ; 

OUT  x21 : <type>21 ; . . . ;x21 :<type>21 ; 

INOUT  x31:<type>31; . . . ; x3m: <type>3m) 

BEGIN  x41 : <type>41 ; . . . ; x4r : <type>4r  END; 

I:  <state>.  ) 

«-♦  □  [  <name>: 

%i[  xll:  /3(<type>ll) ; . .  .  ;  xlk:  /3(<type>lk)  ]; 
%o[  x2 1 :  0(< type>2 1 x21:  /?(<type>27)  ]; 
Xio[  x 3 1 :  /3(<type>31) ; . .  .  ;  x3m:  /3(<type>3m)  ]; 
%v[  x41 :  < t<y pe>4 1 ) ;  . .  .  ;  x4r:  0(<type>4r)  ]; 

Xa[  1:  0(<s  taVe> )  ]] 


0(<type>)  ~  if  it  begins  with  ' ‘ INT 1 ’  then  /J(INT) 

elseif  it  begins  with  ''CHARS1'  then  0(CHARS) 
elseif  it  begins  with  "BOOL**  then  0(BOOL) 
elseif  it  begins  with  ''t''  then  /?(<pointer>) 
elseif  it  begins  with  ''ARRAY''  then  /?(<array>) 
else  0(<record>) 


/3 (  INT)  ~  I 


0 (CHARS )  -  C 


0  ( BOOL )  ~  B 


/3(<pointer>)  ♦  0(t<type>) 

pA(<typ0>) 


y8*(<type>)  *-•  if  it  begins  with  ''ARRAY’’  then  /0’(<array>) 

elseif  it  begins  with  ''RECORD’’  then  y9l'(<record>) ; 
else  0(<type>) 

f>'(<array>)  ~  yfl,(ARRAY(<expression>)  OF  ax_#/cax) :<type>  END) 

«-*  Ayj'(<type>) 

P\  <record>)  ~  RECORD  ax.nl : <type>l ;  ax_nk : <type>k  END) 

~  R^'(<type>l),...,/ft<typ0>k)} 


aX:Q  =»  /?(<array>)  ~  aX:Q  =»  0( ARRAY  (<expression>)  OF  ax_(#K3X) : <type>  END) 
«-*  aX:QA#Kax  <  0(<express1on>)=> 

[ax_(#KaX):/?(<type>);  o#Kax  =  #Kax  +  1 ;  |0X]; 

Qa#K3X  >/?(<expression>)=» 

Similarly,  we  have  the  0  equation  for  the  case  that  d\  :  0{ < array >).  Hereafter,  we  will  no  longer  mention 
this  corresponding  case  for  other  constructs. 
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d\:Q  =»  0(<re cord>)  ~  d\:Q  =» 

^(RECORD  <9X_nl  :<type>l ;  . 
~  d\:Q  =»  3X_nl :  /?(<type>l);  . 


<9X_nk:<type>k  END) 
;  3X_nk:  /3(<type>k) 


/J(<state>)  «-*  if  it  begins  with  ''IF’*  then  /3(<conditional>) 

elseif  it  begins  with  ''BEGIN’’  then  /?( <compound> ) 
elseif  it  begins  with  ''WHILE’’  then  /?(<whiie  state>) 
else  /3{<assign>) 


/?(<assign>)  «-•  /J(dX  <-<expression>)  «-*  o#<3X  =/3(<expression>) 


X:Q  =*  /3(<compound> ) 

~  X : 0  =>  ,0(BEGIN  <state>l;  .  .  .  ;<state>k  END) 

♦-  X : Q  =>  [  0(<state>l) ;  .  .  .  ;  /3(<state>k)  ] 


X:Q  =»  p(<conditional>) 

*->  X:Q  =>  /? ( I F  <bool  expression>  THEN  <state>l  ELSE  <state>2) 
X.QA/?(<bool  expression:*)  =>  /9(<state>l)A  Tnext; 

QA/3(  ’<bool  expression>)  =»  /3(<state>2) ; 
next : 


X  : Q  =>  /3(<whi  le  state>) 

«-»  X : Q  =»  /3(WHILE  <bool  expression>  DO  <state>  END) 
«-•  X  :  Qa/?  ( <boo  1  expression>)  =»  /?(<state>)T  X; 
0A/9(-’<bool  expression>)  => 


/j'<goto>)  «-*  /3(GOTO  X) 

«  f  X 

These  equations  constitute  the  semantics  of  Sample  in  terms  of  XYZ/E,  whose  own  denotational 
semantics  is  direct.  They  also  describe  a  compiler  which  translates  Sample  programs  into  XYZ/E.  This 
is  what  we  call  two-level  formal  semantics  and  semantic-directed  compilation. 

It  is  easy  to  see  that  an  inverse  transformation  which  translates  an  XYZ/E  program  back  into  Sample 
exists. 
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